[Vulnerability] nodejs/node: Null Pointer Dereference #53
Description
Potential Security Vulnerability Detected
Repository: nodejs/node
Commit: 84d1e6c
Author: Nora Dossche
Date: 2026-02-24T19:51:58Z
Commit Message
crypto: fix potential null pointer dereference when BIO_meth_new() fails
This function can return null, which will make the calls to
BIO_meth_set_* trigger a null deref.
Even after fixing this, there is an issue with the
`BIOPointer::New(GetMethod())` call in `NodeBIO::New` because the
`New` method cannot handle a null pointer despite other code already
guarding for this
(e.g. the `NodeBIO::New` function already checks `bio`).
This patch solves the issues by adding more null checks.
PR-URL: https://github.com/nodejs/node/pull/61788
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
Pull Request
PR: #61788 - crypto: Fix potential null pointer dereference when BIO_meth_new() fails
Labels: crypto, c++, author ready, needs-ci, dependencies, commit-queue-squash
Description:
This function can return null, which will make the calls to BIO_meth_set_* trigger a null deref.
Even after fixing this, there is an issue with the BIOPointer::New(GetMethod()) call in NodeBIO::New because the New method cannot handle a null pointer despite other code already guarding for this
(e.g. the NodeBIO::New function already checks bio). This patch solves the issues by adding more null checks.
Note: this was found by a static-dynamic analyser I'm developing.
<!--
Befor...
Analysis
Vulnerability Type: Null Pointer Dereference
Severity: High
Description
The code failed to check if BIO_meth_new() returns NULL before passing the result to BIO_meth_set_* functions, causing a null pointer dereference. This could lead to application crashes and potential denial of service when SSL/TLS operations are initiated under memory pressure conditions.
Affected Code
BIO_METHOD* method = BIO_meth_new(BIO_TYPE_MEM, "node.js SSL buffer");
BIO_meth_set_write(method, Write);
Proof of Concept
Trigger memory exhaustion by creating many large objects, then initiate SSL/TLS connection which calls NodeBIO::GetMethod(). When BIO_meth_new() fails and returns NULL due to memory pressure, the subsequent BIO_meth_set_write(NULL, Write) call will dereference NULL pointer causing segmentation fault and application crash.
This issue was automatically created by Vulnerability Spoiler Alert.
Detected at: 2026-02-24T19:55:06.508Z